PhatBot Trojan Spreading Rapidly On Windows PCs 645
prostoalex writes "The Washington Post alerts Windows users about a new peer-to-peer backdoor client that is installed maliciously on broadband-connected computers around Asia and the United States. The client is then used for distributed DOS attacks and sending out large amounts of spam. Phatbot, according to government sources, is installed on hundreds of thousands machines already. Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software, albeit it is detectable by antivirus packages." An anonymous reader submits a link to this description of the beast.
nice features list (Score:5, Informative)
# Checks to see if it is allowed to send mail to AOL, for spamming purposes
# Can steal Windows Product Keys
# Can run an IDENT server on demand
# Starts an FTP server to deliver the trojan binary to exploited hosts - ends the FTP session with the message "221 Goodbye, have a good infection
# Can run a socks, HTTP or HTTPS proxy on demand
# Can start a redirection service for GRE or TCP protocols
# Can scan for and use the following exploits to spread itself to new victims: * DCOM * DCOM2 * MyDoom backdoor * DameWare * Locator Service * Shares with weak passwords * WebDav * WKS - Windows Workstation Service
# Attempts to kill instances of MSBlast, Welchia and Sobig.F
# Can sniff IRC network traffic looking for logins to other botnets and IRC operator passwords
# Can sniff FTP network traffic for usernames and passwords
# Can sniff HTTP network traffic for Paypal cookies
# Contains a list of nearly 600 processes to kill if found on an infected system.Some are antivirus software, others are competing viruses/trojans
# Tests the available bandwidth by posting large amounts of data to the following websites:
* www.st.lib.keio.ac.jp
* www.lib.nthu.edu.tw
* www.stanford.edu
* www.xo.net
* www.utwente.nl
* www.schlund.net
# Can steal AOL account logins and passwords
# Can steal CD Keys for several popular games
# Can harvest emails from the web for spam purposes
# Can harvest emails from the local system for spam purposes
Happened to a friend (Score:2, Informative)
Re:Idea? (Score:3, Informative)
So if Joe User gets infected and is running as administrator, the virus can un-write-protect memory and keep going.
This is a classic offense vs. defense escalation and is the type of problem Rootkits pose as well.
Re:Detection/Removal instructions? (Score:5, Informative)
"Manual Removal
Look for the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\
HKLM\Software\Microsoft\Windows\CurrentV
The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory."
google cash of description (Score:2, Informative)
Related links and info (Score:5, Informative)
http://news.yahoo.com/fc?tmpl=fc&cid=34&in=tech& ca t=hackers_and_crackers
http://www.f-secure.com/v-descs/agobot_fo.shtml
Detailed Description
First of all, this new variant has 'Phatbot3' identifier and there are a few 'phat' string in its body. This may indicate that this version was not made by the original Agobot backdoor author, who calls himself TheAgo, but by a different person/group who got the source code of this backdoor.
The backdoor's file is a PE executable 115738 bytes long compressed with PE-Diminisher file compressor. The unpacked file's size is over 245 kilobytes.
Installation to system
The Agobot.FO backdoor copies itself as NVCHIP4.EXE file to Windows System folder and creates startup keys for this file in System Registry:
[HKLM\Software\Microsoft\Windows\Curren tVersion\Ru n]
"nVidia Chip4" = "nvchip4.exe"
[HKLM\Software\Microsoft\Windows\Cu rrentVersion\Ru nServices]
"nVidia Chip4" = "nvchip4.exe"
This allows the backdoor's file to start with every Windows session. On Windows NT-based systems the backdoor can start as a service.
Scanning for vulnerable computers
The backdoor can scan subnets for exploitable computers and send a list of their IPs to the bot operator. The scan is performed on ports 80, 135 and 445 for RPC/DCOM (MS03-026), RPC/Locator (MS03-001) and WebDAV (MS03-007) vulnerabilities. The backdoor can also scan for computers infected with MyDoom worm (port 3127), Bagle worm (port 2745) and also for computers where DameWare remote system management software is installed (port 6129).
Performing a DDoS attack
The backdoor can perform the following types of DDoS (Distributed Denial of Service) attacks:
* HTTP flood * SYN flood * UDP flood * ICMP flood
When performing a DDoS attack, the backdoor uses 33 unique client identifiers including Mozilla, Wget, Scooter, Webcrawler and Google bot.
The backdoor sends 256000 bytes of random data to the following websites and checks the response times:
www.schlund.net
www.utwente.nl
www.xo.net
www.stanford.edu
www.lib.nthu.edu.tw
www.st.lib.keio.ac.jp
Collecting e-mail addresses
The bot can harvest e-mail addresses. It has the functionality to read user's Address Book and send the list of e-mail addresses to the bot operator.
Obtainint Registry info
The backdoor has the functionality to obtain System Registry info from an infected computer. This is a new feature for Agobot backdoor. Information obtained from the Registry can give a hacker a full overview of an infected system.
Spreading to local network
Agobot backdoor can scan computers on local network and copy itself there. The scan is initiated by a remote hacker. When spreading to local network, Agobot.FO probes the following shares:
admin$ c$ d$ e$ print$ c
Agobot.FO tries to connect using the following account names:
(SEE LINKS AT TOP FOR INFORMATION)
When connecting, Agobot.FO uses the following passwords:
(SEE LINKS AT TOP FOR DETAILS)
If the worm succeeds connecting to the above listed shares, it copies itself to a remote share and attempts to start that file as a service. The alternative way of infecting a remote host is to create a scheduled task on a remote computer that will start the backdoor's file.
Teminating processes of security and anti-virus programs
Agobot.FO has a huge list of process file names hardcoded in its body. The backdoor tries to terminate processes that have the following names:
(NAMES REMOVED SO POST WOULD WORK, FOLLOW LINKS AT TOP)
This functionality allows the backdoor to successfully disable anti-virus and security software that can not detect this backdoor before it's file is started. In most cases special tools are required to clean a computer infected with this backdoor.
Additionally the
Lurhq slashdotted (Score:2, Informative)
For a mainframe version... (Score:5, Informative)
For a mainframe version of the story see _The Adolescence of P1_.
(I'd dig up an Amazon link but I'm busy right now.)
Mirror (Score:5, Informative)
http://www.joestewart.org/phatbot.html [joestewart.org]
-Joe
Re:Idea? (Score:3, Informative)
i copied for mirror (Score:2, Informative)
AV companies have no info (Score:2, Informative)
F-Secure (an 'expert' in the article) has no listing for Phatbot.
Re:nice features list (Score:5, Informative)
Checking out the vulnerabilities used by Phatbot, I'm guessing most, if not all, of these holes were patched long ago. Short of forcing regular patching and upgrades, I guess there's not much that can be done to get around this. I get a shocking number of people through the store who never, ever use Windows Update.
One part bad security model, one part careless users. Really, if there was an announced problem with your car that might lead to a thief getting in and driving off with it, wouldn't you get it fixed? Would you leave your door unlocked because it makes entering your car easier when you're in a rush?
Computers have been sold as appliances, when they should be sold as flexible tools that aren't difficult to use, but take a minor bit of effort to maintain. I bet I could make big bucks just going to people's homes and carrying out basic upgrading and patching activities. $50/hr for running Windows Update, Ad-Aware and AVG, here I come...
From the LURHQ alert (Score:5, Informative)
Manual Removal
Look for the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Generic Service Processn Services\Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory.
Snort Signatures
Here are some Snort signatures to detect Phatbot on a network:
alert tcp any any -> any any (msg:"Agobot/Phatbot Infection Successful"; flow:established; content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:1000075; rev:1;)
alert tcp any any -> any any (msg:"Phatbot P2P Control Connection"; flow:established; content:"Wonk-"; content:"|00|#waste|00|"; within:15; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:1000076; rev:1;)
Re:Trojans and the like (Score:3, Informative)
Re:The power of viruses (Score:1, Informative)
Re:Suspicious... (Score:5, Informative)
I consider the addition of the WASTE code and removal of the IRC code to be significant enough to call this by a new name. Not to mention all the other added features that are not part of the Agobot code.
-Joe
Re:nice features list (Score:3, Informative)
Re:paypal? (Score:3, Informative)
Re:nice features list (Score:1, Informative)
Re:How about a virus that educates users? (Score:3, Informative)
Interesting, yes. But, unfortunately, its delivery to the user wouldn't differ significantly from the endless popups proclaiming "Your PC is broadcasting its address!!!!" Very hard to tell the valid from the evil to the unwashed.
Later, one of the little kiddies will take it apart, insert some small malicious thing, and send it on its way again.
Re:Is it just me... (Score:3, Informative)
Portion or Synapsis of DHS Alert? (Score:1, Informative)
From:http://www.dslreports.com/forum/rema
"Note from Microsoft concerning the second scan...
------------
Our Security team says:
The Dept of Homeland security has issued an alert on a new bot that maybe
related:
To NCC Telecom-ISAC members (Routine lists), Info NSIE Info N2 Below are details, received from a trusted source, regarding a new bot discovered this morning. We are listing first the important highlights from the analysis write-up, followed with a more detailed technical analysis. We would
appreciate any further information or feedback on this information.
Important highlights
* Kaspersky does NOT yet recognize this file as a trojan; it is unclear if
other AV software detects Phatbot. All attempts to kill the process will
respawn a new one.
All attempts to remove the malware have failed in our tests.
* Thus far, we've witnessed the following spreading mechanisms:
TCP 135 (Win9x Netbios)
TCP 139 (Win9x Netbios)
TCP 445 (Win2k Shares)
TCP 3127 (Mydoom)
TCP 6129 (Dameware)
* Based on strings output this bot appears to include the following:
- multiple DDOS capabilities
- multiple spying capabilities
- disables at least some Anti-Virus, Anti-trojan, and Personal Firewall
software
* The bot appears to offer relay capability by listening on:
TCP 63808 (Socks)
TCP 63809 (HTTP)
TCP 65506 (SSL)
Infected hosts should have these ports open, along with TCP 4387.
* How to spot Phatbot:
- Watch for ingress or egress active opens (SYN packets) to TCP 4387.
- Watch for ingress or egress active opens (SYN packets) to TCP 4387, TCP
63808, TCP 63809, and TCP 65506. This
*may* indicate the presence of the bot.
Detailed Analysis
Unfortunately, it appears as if peer-to-peer communication is making its way
further into bots. The latest bit of malware we received, code named
"phatbot," has some interesting characteristics we'd like to pass along to
you. Unfortunately we've not been able to get to the bottom of everything
yet, but thought a little bit of information would be better than nothing!
This bot appears to be a derivative of the infamous Agobot. There is a fair
bit of shared code, at the very least.
This malware affects windows machines and installs as
%SystemRoot%\system32\srvhost.exe, e.g. c:\windows\system32\srvhost.exe. The
malware runs as "%SystemRoot%\system32\srvhost.exe -service". The malware is
PE encrypted with PE-Crypt.Wonk. Kaspersky does NOT yet recognize this file
as a trojan; it is unclear if other AV software detects Phatbot. All
attempts to kill the process will respawn a new one. All attempts to remove
the malware have failed in our tests.
It is unclear how many hosts are infected or how large the P2P botnet has
become.
Thus far, we've witnessed the following spreading mechanisms:
TCP 135 (Win9x Netbios)
TCP 139 (Win9x Netbios)
TCP 445 (Win2k Shares)
TCP 3127 (Mydoom)
TCP 6129 (Dameware)
The scanning is not launched at startup. The scans appear to be sequential,
e.g. the infected host scans TCP 135, 139, 445, 3127, and 6129 on each
scanned IP. This may be a means by which to detect the scan and sploit
activities of Phatbot.
Based on strings output this bot appears to include the following:
- multiple DDOS capabilities
- multiple spying capabilities
- disables at least some Anti-Virus, Anti-trojan, and Personal Firewall
software
"
Re:nice features list (Score:5, Informative)
I'm currently working at a company that is migrating to WinXP in a very locked down environment. Everyone is a user and software restriction policies only allow files to be executed from specific locations. Users have no write access to C: at all... all user profiles and data are on D: (which is not allowed to execute anything).
My job is to make the apps work. It's horrible. We have to give write access to the app's dir in Program Files to probably 40% of the apps. Some apps require write access to the root of C:\. Many want to create/modify files in Windows and System32. Far too many insist on writing to HKLM and even HKCR.
We repackage all the apps as MSIs and include the needed permissions changes in the installer. By the time the apps are loaded, most machines security have been drastically compromised.
Re:paypal? (Score:5, Informative)
PayPal Warning [paypalwarning.com]
About PayPal [aboutpaypal.org]
Google [google.com]
That ougth to keep you busy for a few days
Re:nice features list - OSS based? (Score:2, Informative)
That would appear to be the case:
The author(s) of Phatbot chose to abandon Agobot's IRC and P2P implementations altogether and replaced them with code from WASTE, a project created by AOL's Nullsoft division (and subsequently canceled by AOL).
Re:Mirror (Score:4, Informative)
http://www.d.umn.edu/~shar0213/gcache.php
http
http://gwebcache.h4
http://gwc.gwc.niet.net/gwc/gcac
http://www.rodage.net/gnetcache/gcache.php
http://www.blackfedora.com/gcache/perlgcache.cgi
http://g2wc.markushenn.de/gwcii.php
http://www.
http://www.edazzle.net/gerry/gerry2.asp
h
http://www.xolox.nl/gwebcache/default.asp
http
Look for hosts using port 4387, pretending to be GNUT clients.
-Joe
Re:nice features list (Score:2, Informative)
Re:Detection/Removal instructions? (Score:2, Informative)
Re:nice features list (Score:5, Informative)
Re:Spammer-Sponsored (Score:3, Informative)
Re:For a mainframe version... (Score:2, Informative)
Only because Amazon is far too literal. If you search for The Adolescence of P1 on Amazon, you get all of that drek at the top of your search, but if you search for The Adolescence of P-1 (which is the correct spelling of the title) the right book is the top match. Google also give the correct page on Amazon when given the correct spelling, and it manages to get it in the top 10 when given the incorrectly spelled version. Given that Google is searching the whole web and not just Amazon, I'd say that Google wins that one handily.
Re:possible hoax? (Score:4, Informative)
It's not. I spent several hours analyzing it. You can connect to the Gnutella cache servers and see Phatbot clients registered using port 4387. You can portscan the infected hosts, find the mini-ftp server it runs and download the code yourself if you need tangible proof.
The list of *features* as one poster put it is indeed staggering.
Most of these features are part of Agobot. Yet no one disputes its existence.
That, coupled with the silence coming from Symantec, McAfee et al. makes it look fishy.
They're not silent - to them this is just another Agobot variant, one of dozens released in the last few months. And they are not making a big deal about it because it really isn't that much of a threat. If you're running Windows with the latest patches and aren't infected with MyDoom or a Dameware backdoor and aren't using weakly passworded shares, you have nothing to worry about from this trojan.
So that leaves me with 3 questions:
1 - Is it real
Yes.
2 - How do we detect it
With just about any AntiVirus solution.
3 - How do we kill it.
In terms of killing it from one machine: disinfect manually or use a tool from the AV companies. In terms of killing the entire network, you would need to reprogram the Gnutella cache servers it uses to detect and refuse connections from the Phatbots.
-Joe
Re:The meaning of "Trojan" (Score:2, Informative)
While we're nit-picking definitions, I'd like to point out that this is a worm, not a virus. If it needs human help to spread (between machines), it's a virus. If it spreads itself, it's a worm.
Here's a more academic [stanford.edu] definition.
Re:nice features list (Score:4, Informative)
I've been in regular contact with an antivirus vendor's support people over 2 weeks trying to explain to them that it is NOT acceptable for users to have Power User privileges in order for their AV definitions to auto-update... It's like talking to a brick wall, here's an example of their 'support' verbatim:
Sorry? Do you mean give everyone full control to my system drive, as well as your AV definitions, configuration files and executable code? You've got to be kidding!
And surely you'd think that AV vendors would understand better than most the need for their software to operate under the principle of least privilege.
Give me a Mac (or other *nix) box anyday is what I say...